Debian Security Advisory
DSA-388-1 kdebase -- several vulnerabilities
- Date Reported:
- 19 Sep 2003
- Affected Packages:
- kdebase
- Vulnerable:
- Yes
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 8635, BugTraq ID 8636.
In Mitre's CVE dictionary: CVE-2003-0690, CVE-2003-0692. - More information:
-
Two vulnerabilities were discovered in kdebase:
- CAN-2003-0690:
KDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module.
- CAN-2003-0692:
KDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session.
These vulnerabilities are described in the following security advisory from KDE:
http://www.kde.org/info/security/advisory-20030916-1.txt
For the current stable distribution (woody) these problems have been fixed in version 4:2.2.2-14.7.
For the unstable distribution (sid) these problems will be fixed soon.
We recommend that you update your kdebase package.
- CAN-2003-0690:
- Fixed in:
-
Debian GNU/Linux 3.0 (woody)
- Source:
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7.dsc
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7.diff.gz
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2.orig.tar.gz
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-doc_2.2.2-14.7_all.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdewallpapers_2.2.2-14.7_all.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdewallpapers_2.2.2-14.7_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_arm.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_arm.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_arm.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_arm.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_arm.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_arm.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_arm.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_arm.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_arm.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_arm.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_arm.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_i386.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_i386.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_i386.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_i386.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_i386.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_i386.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_i386.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_i386.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_i386.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_i386.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_i386.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_mips.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_mips.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_mips.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_mips.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_mips.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_mips.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_mips.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_mips.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_mips.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_mips.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_mips.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_s390.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_s390.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_s390.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_s390.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_s390.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_s390.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_s390.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_s390.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_s390.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_s390.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_s390.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_sparc.deb
MD5 checksums of the listed files are available in the original advisory.